BGP tampering behind domain redirection

By John E Dunn

ITworld|November 18, 2010

Techworld –

China Telecom has issued a curt denial that it was complicit in a claimed 'hijacking' of Internet traffic earlier this year that saw large volumes of data between sensitive US military and commercial websites briefly travelling through its servers.

This could have compromised traffic to 15% of global domains, which happen to include, "the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the NASA, the Department of Commerce, the National Oceanic and Atmospheric Administration," as well as Yahoo, Microsoft and IBM, the report noted.

In a statement now reportedly emailed to AFP, a China Telecom statement "denied any hijack of Internet traffic" without elaborating further.

What happened is fairly straightforward and would have involved tampering with the routing tables maintained by China Telecom and peered to other primary DNS servers using the Border Gateway Protocol (BGP). The origin of this manipulaiton is believed to have been a third-party ISP, IDC China telecommunications, which makes it a certainty that this was a deliberate act.

"While in Beijing, those data could conceivably be monitored, censored, or replaced with other data. This could take place quickly enough to go unnoticed by the computer user," said the report authors.

How the issue was discovered in not mentioned but would have most likely have been at China Telecom. Monitors in the US would have noticed the matter after the event. Working out the motivation for the attack - the routing data covered a large number of less sensitive domains as well as the ones mentioned - will probably prove impossible.

The claimed 'attack' will attract huge attention because it underlines the vulnerability of the Internet to simple incursions that subvert its trust routing model. This was once of little consequence as most of the Internet was in the US, but the system is now global and attempts to subvert routing data are said by experts to be routine.

Indeed, manipulation of basic routing functions is standard to Internet censorship regimes the world over. It can go wrong spectacularly. In February 2008, what is now believed to have been a botched censorship attack through Pakistan Telecom on YouTube content resulted in the service being disrupted globally.

The report quoted a submission from Arbor Networks' CSO Danny McPherson that the intention of the attack could have been to hide an unknown targeted attack.

None of this will be easy to fix but a greater emphasis can be put on BGP monitoring to spot such issues before they get to a damaging level.

In the US, headlines will project yet another US-China Internet security confrontation but this event should be put into some context. It is covered by only a few paragraphs around page 250 of a wide-ranging congressional report that is nevertheless reluctant to lay the blame directly at the feet of the Chinese government.

The Chinese Foreign Ministry has reportedly refused to comment on the matter.